The Biden administration on Tuesday announced it lifted the suspension of Executive Order 13920, issued last year by President Donald Trump in order to study and reduce the grid’s exposure to infiltration by foreign agents.
President Biden suspended the order — pending a 90-day review — on his first day in office, amid a raft of executive actions aimed at undoing Trump’s legacy. (See Biden Suspends Trump’s BPS Supply Chain Order.)
Trump’s order declared a national emergency regarding threats to the bulk power system by foreign adversaries, a term defined as any foreign government or nongovernment person engaged in long-term or serious instances of conduct threatening the security of the U.S., its allies or its citizens. (See NERC Issues Level 2 Supply Chain Alert.)
The order banned federal agencies, citizens and companies from transactions involving BPS equipment developed or manufactured by an entity connected with a foreign adversary that:
- poses a danger to the U.S. electric grid;
- creates a risk of catastrophic effects to U.S. critical infrastructure; or
- otherwise threatens the national security of the U.S. or the safety of its citizens.
While the executive order itself is back in effect, Biden officials have revoked some of the actions taken under its authority by their predecessors. Most notably, DOE announced on Tuesday that the prohibition order issued in December barring some U.S. facilities from acquiring equipment from China has been revoked in order to “provide a consistent and clear policy environment.” The prohibition took effect Jan. 16, but because of the suspension, utilities were not required to certify compliance with DOE.
In addition, the department announced a new request for information (RFI) under the executive order, seeking input from utilities, academia, research laboratories, government agencies and other stakeholders “to inform future recommendations for supply chain security in U.S. energy systems.” A prior request last July sought information on the industry’s practices for identifying and mitigating supply chain vulnerabilities for BPS components.
“The comments received in response to the RFI will enable DOE to evaluate new executive actions to further secure the nation’s critical infrastructure against malicious cyber activity and strengthen the domestic manufacturing base,” DOE said. “Accordingly, the department expects that, [while] further recommendations are being developed, utilities will continue to act in a way that minimizes the risk of installing electric equipment and programmable components that are subject to foreign adversaries’ ownership, control or influence.”
Previous supply chain-focused actions by Biden include a February executive order instigating a review of a number of critical sectors, including energy, in order to “strengthen the resilience of America’s supply chains” ahead of future national emergencies. (See Biden Targets Energy Sector in Supply Chain Order.) The order instructs Energy Secretary Jennifer Granholm to provide a report in the next 100 days on vulnerabilities in the supply chain of high-capacity batteries used in electric vehicles, with another report due within one year on “supply chains for the energy sector industrial base,” as the secretary defines it.
CESER to Push Cyber Improvements
The administration also announced a new initiative Tuesday aimed at improving the cybersecurity of industrial control systems (ICS) at electric utilities over the next 100 days, coordinated between DOE, the electric industry and the Cybersecurity and Infrastructure Security Agency (CISA).
The initiative will be led by DOE’s Office of Cybersecurity, Energy Security and Emergency Response (CESER), currently headed by Puesh Kumar, who took over as acting principal deputy assistant secretary last week. CESER will encourage utilities to invest in “technologies and systems that enable near-real-time situational awareness and response capabilities” in ICS and operational technology (OT) networks. DOE will help by creating “concrete milestones” to judge the utility of these systems.
Other goals of the effort include:
- encouraging the use of technology or processes that enhance utilities’ detection, mitigation and forensic capabilities;
- improving the cybersecurity posture of critical infrastructure information technology networks; and
- launching a voluntary industry effort to increase visibility of threats in ICS and OT systems through new technologies.
“The safety and security of the American people depend on the resilience of our nation’s critical infrastructure. This partnership with [DOE] to protect the U.S. electric system will prove a valuable pilot as we continue our work to secure industrial control systems across all sectors,” said CISA’s acting director, Brandon Wales.